Top 20 worst passwords for data breaches

123456

123456789

qwerty

password

111111

12345678

abc123

1234567

password1

12345

1234567890

123123

000000

iloveyou

1234

1q2w3e4r5t

qwertyuiop

123

monkey

dragon

The NCSC recommends that you change your password immediately if you see it anywhere on the list of 100,000 passwords most commonly found in data breaches. Dr. Ian Levy, NCSC Technical Director, suggests combining three random words to create a hard-to-guess password.

Why using one of these worst passwords is a cybersecurity problem

Using passwords that have been commonly found in data breaches pose a risk for both individuals and companies. Passwords on this list are already in the public domain and have been shared by hackers, and cyber-attackers commonly use lists like this when trying to hack into a system.

Attackers have been able to breach corporate networks and move into the internal system due to a single weak point, such as use of a password from one of these lists.

Most commonly used passwords in breaches by name, Premier League football teams, musicians, and fictional characters

The UK Cyber Survey also identified categories of most commonly used passwords found in breaches. Find the top passwords in each category below:

Ashley was the most common first name to be used as a password in a breach.

Liverpool was the most common Premier League football team to be used as a password in a breach.

Blink182 was the most common password related to music to be used in a breach.

Superman was the most common fictional character to be used as a password that appeared in a breach.

Troy Hunt cybersecurity tools

Hunt created Have I Been Pwned, a tool that allows users to check if one of their accounts has been compromised, after the Adobe breach of customer accounts. The data comes from past breaches, which are situations where data is exposed to a vulnerable system.

The Pwned Passwords feature allows individuals in any country to check if one of their passwords has ever been seen in a data breach. Exposure to breaches makes any password unsuitable for use because they are at a much greater risk of being used to take over other accounts.